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(57) Abstract 



In an Internet w Intranet cnvinmment (12), a proxy scfver or router or intelligent switch or firewall (14) whidi supports a number 
of clients (eg. web Iwowsos) has additiona] functionality which allows it to deliver a software module (20) to a particular client (18) 
depending <m) characteristics of feat client TTiis downloaded module (20) is ften executed by client (18) whidi sets up a bidiiectiOTal 
communications Imk between die proxy servtt- (14) and the client (18). This ^directional link allows for inst^ a status display at the 
client (18), by use of a window on fee client platfram, indicating die cuncnt status of proxy server (14) activity such as virus scanning, 
content filtering, bandwidth usage, etc bi other ^icadons die downloaded module (20) allows provision of an organizational bulletin 
board, news diann^ or provider of conuncm soliware patehes. 
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CONTROLLED DISTRIBUTION OF APPLICATION PROGRAMS 
IN A COMPUTER NETWORK 



BACKGROUND 

Field of the Invention 

This invention relates to computer networks and 
more specifically to Internet or Intranet networks and 
10 to bidirectional commvinication between a client and an 
agent, such as a proxy server, in such networks. 

Description Of The Prior Art 

In the Internet /Intranet context, proxy servers 

15 are well known; a proxy server is a computer software 
entity which is resident on a '^platform," typically a 
computer. The proxy server typically is connectcible to 
a number of client platforms (computers) on each of . 
which is running client software (a "client") such as a % 

20 world wide web browser ("web browser"). Typically in 
use the client accesses a remote web server via the 
Internet or an Intranet. The remote web server is 
another computer platform on which is resident software 
which supports a web site. The client (web browser) 

25 then downloads web pages from the web server, via the 
proxy server. Sometimes these web pages include 
applets such as Java applets or other types of 
application programs which are code modules (software) 
executcible by the client. 

30 
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SUMMARY 

In accordance with this invention, the 
capabilities of a proxy server or other similar *agent" 
in an Internet or Intranet environment (other examples 
5 of agents being a firewall, a router or other type of 
intelligent switch) are extended by adding software to 
the agent, to allow the agent to intelligently deliver 
an application program (or other code module) to a 
client. More broadly, an *agent" includes (but is not 

10 limited to) any entity in a computer network that 

serves as a transmission intermediary, including ciny 
entity performing a routing, switching, filtering, or 
screening function for connections or for data. For 
example, in Intranet networks, such agents often are 

15 nodes which every client must pass to access the 

external Internet or web servers. In this sense, an 
*agent" would not be a source of content such as a web 
servuT supporting a web site. 

"^Intelligently" means that in some cases tb ^ 

20 delivered code module is personalized or selected to 
the particular client. The web browser client is 
forced to download the delivered code module instead of 
the intended web page. The delivered code module is 
executed by the client and can then perform some 

25 function on the client and in some embodiments 
communicate with the agent (e.g. proxy server) 
bidirectionally, i.e. with information being 
transferred both ways. 

The application program which is delivered is for 

30 instcuice any type of code (software) module or 
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scripting language capable of being executed by the 
client. Where the client is a web browser, examples of 
delivered application programs include Java applets, 
Active-X controls or other types of executable software 
5 modules. Typically the agent determines a 

characteristic (s) of the client and intelligently 
selects or forms a particular code module in response 
to the determined characteristic of the client. The 
agent then downloads this code module down to the 

10 client, resulting in the code module being resident at 
the client, to be executed thereby - 

The code module may be personalized to the client, 
or may be selected from a group of available code 
modules, or may be a standard code module. The 

15 following steps occur: 

1. The client connects to the agent 

2. Software resident at the agent determines if 

the application program should be delivered. . : r i 

3. The A^ipplication program is delivered and ^ / - • 
20 communication is established between the delivered 

application program and the software resident at the 
agent . 

In one exemplary embodiment, the delivered code 
module is a Java applet which is executed at the client 

25 and upon execution reports at the client a status of a 
virus scan being performed by the proxy server (agent) . 
This is useful where the virus scan is of a type 
resident at the proxy server rather than at the client. 
This reporting of the status of the virus scan, in the 

30 form of a displayed window on the client platform, 
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indicates to the user of the client what is the status 
of the virus scan, and therefore the user knows that 
any delay is due to the virus scan rather than a 
failure on the part of the proxy server. 

In another embodiment, the delivered code module 
allows the client to monitor the connection between the 
client and a remote site (a web server) and thereby 
function for instance as a network management agent, a 
filter or a security firewall. In this case the 
delivered code module may in some situations, upon 
occurrence of a predetermined event, direct the agent 
(e.g. proxy server) to terminate the connection between 
the client and the remote web server, for instcince upon 
an attempt to download particular web site material 
such as adult material. Also if there is an appearance 
of material which is in violation of for instcince a 
firewall security policy, the connection may be 
'Terminated in this situation. Hence such ;f ilte.:.!Tig 
fwictions may be personalized to each client . 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a general diagrammatic depiction of 
an application delivery method in accordance with this 
invention. 

Figure 2A shows a flow chart of use of the present 
application delivery method. 

Figures 2B and 2C are state diagrams relating to 
Figure 2A. 

Figure 2D shows an additional flowchart relating 
to Figure 2A. 
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Figure 3 shows a screen display relating to 
Figure 2A. 

DETAIIiED DESCRIPTION 
5 The following description is of certain 

embodiments in accordance with this invention and is 

not limiting. This disclosure assumes familiarity with 

well known aspects of Internet/Intranet computer 

networking, all of which are well known and 
10 commercially available and hence are not disclosed in 

any particular detail herein ♦ 

Figure 1 shows diagramatically an application 

program delivery method in accordance with this 

invention. The entities shown include a web server 12 
15 (or equivalent) , for instance on the Internet or on an 

Intranet. Agent 14 is in one embodiment a proxy 

server, of the type disclosed above, with certain 

modifications; it is to vmderstood that a proxy 1^ 5-A:a.v::> 

server is a software entity executed on a proxy server ^^<^;sv i^mx 

,. 20 platform (computer). Such proxy servers are 

commercially available, for instance from Microsoft or 
other vendors; the Microsoft proxy server software is 
called Microsoft Proxy Server. It is to be understood 
one embodiment of the present invention takes the form 

25 of additional code which runs on the agent (proxy 
server) platform, and which may be embedded in the 
conventional proxy server software as additional 
functionality thereto. This additional code is not 
shown here but can be written by one of ordinary skill 

30 in the art in the light of this disclosure. 
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The third entity shown is the client 18 which is 
e.g. a web browser such as the well known Microsoft 
Explorer or Netscape Navigator. The web browser is a 
type capable of executing the delivered application 
5 program. For instance, if the delivered application 
program is a Java applet, the client must be capable of 
supporting Java, i.e. include a Java virtual machine. 
Of course if the delivered application program is an 
Active-X control, the client must have the capability 

10 to execute same, for instance the Microsoft Internet 
Explorer browser. 

In Figure 1, the first step is that conventionally 
the client 18 attempts to connect to the web server 12 
via the agent 14 , The agent 14 is not necessarily a 

15 proxy server, but may be for instance a router or other 
type of intelligent switch of the type typically used 
in the Internet/Intranet environment. 

In second step, the agent (software) 14 del carmines 
a pertinent status or characteristic of the client 18, 

2C such as the client's Internet (IP) address, and then 
dynamically, i.e. in response to the determined status 
or characteristic, forms a particular software code 
module 20 (an application program such as a Java 
applet) - Thus the nature of the particular code module 

25 20 may be dependent on the determined characteristic (s) 
of the client 18 and may be different (^personalized") 
for particular clients. In some embodiments, the 
module 20 is not so personalized. 

In the third step, the agent 14 delivers 

30 (downloads) this particular code module 20 to the 
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client 18 so that code module 20 resides at the client 
and may be executed thereby. For instance, module 20 
is a Java applet to be executed by the Java virtual 
machine which is part of the client 18. 
5 In the fourth step, the agent 14 conventionally 

connects to the web server (or other site) 12 on behalf 
of the client 18. This step can be initiated by the 
delivered code module 20 also. 

The fifth step is for the delivered code module 20 
10 (or the client) to establish a communications link with 
the software running on the agent, if needed . 

Also at this point the agent 14 may transmit 
information down to the delivered code module 20 
rxinning in the client 18, for instance information to 
15 indicate particular activity in the agent 14 such as 

the status of a virus scan being performed by the agent 
14, A bidirectional connection is thereby established 
i.: in tl^*s fifth step for reporting information;;; betwee;? Lhe 
n :i J=igent 14 and the client 18. This capability is not 
20 available in the prior art. 

A more detailed process of this type as 
illustrated in Figure 2A, where the agent 14 is a proxy 
server, is as follows: 

1. The client 18 is a web browser, which is 
25 configured e.g. to support Java, begins its 

conventional execution and attempts to connect to the 
proxy server 14 for the first time to begin a session 
by submitting a conventional HTTP request to the proxy 
server in step 40. 
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2. The proxy server 14 compares the IP address of 
the client web browser 18 with a list of the IP 
addresses of the clients it currently considers to be 
connected to the proxy server and does the following: 
5 a. If the client 18 is on the list of addresses, 

the proxy server 14 processes the HTTP request 
normally. This is because the assumption is that the 
particular application program 20 to be delivered is 
already resident at the client 18 and thus need not be 
10 delivered again to the client, 

b. If the client 18 is not on the list, then the 
proxy server 14 assumes that there is a need to deliver 
the application program 20 to the client. The proxy 
server 14 thereby answers the HTTP request with a 

15 modified HTML (hyper-text mark up language) page (for 
instance a web page) which instructs the client 18 to 
load the application program 20 from the proxy server 
14 inrtstep 54. : Thus after the delivered application! r:r:}Wi:: 
program;i2n is loaded by the client 18, i.e. is resident 

20 on the clie^it platform, this application program 20 
automatically started by the client 18. The original 
HTTP request is filled in one of two ways: 

i) The modified HTML page contains the 
original response* HTML page along with additional HTML 

25 code appended by the proxy server. 

ii) When the delivered application program 
20 starts execution, the application will make the web 
browser 18 re-submit the original HTTP request. 

c. While the delivered application program 20 is 
30 executing on the client 18, it performs tasks as 
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intended by the added software on the proxy server 14 . 

Since the delivered application program and the proxy 

server both know each other's IP address, they can 

communicate bidirectionally via the conventional 
5 network connections using conventional data packets. 

For instance, the bidirectional communication 

(step 5 in Figure 1) can include reporting from the 

proxy server to the client the status of a virus scan 

being performed by the proxy server. In one 
10 embodiment, to determine if the delivered application 

program is in communication with the proxy server, the 

proxy server either looks for or is notified by one of 

more of the following events by the delivered 

application program: 
15 a) "Delivered application program is running on 

client." 

b) ^'Delivered application program is timed out." 
(This occurs whenr-Jthe proxy server stops receiving. 

''Delivered appiieat ion is running on client" events ^''-'i^mr^.r^' 
20 after a predetermined time interval.) These events 
allow the agent software to determine if a client is 
still connected to it. 

c) "Delivered application program has exited." 
Typically the proxy server will only deliver one 

25 instance of the particular application program down to 
the client. There may be exceptions, for instance when 
multiple delivered application programs are needed to 
achieve a desired result- In this situation the proxy 
server counts how many instances of the delivered 
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application program are rtiiming and if needed deliver 
another application. 

Figure 2A shows a more detailed flow chart of one 
particular embodiment of the present invention, where 
5 the agent is a proxy server, the client is a web 

browser, and the application program which is delivered 
to the client is an HTML page (window) which indicates 
the status of a virus scan being executed by the proxy 
server on information downloaded from the remote web 

10 site which the client is attempting to access. The 
actual virus scanning at the proxy server is 
conventional, using for instance the InterScan package 
commercially available from Trend Micro. 

Figure 2B is a state diagram of the delivered 

15 application program showing its two basic states - the 
RUNNING state and, upon the application exiting or 
termination, the EXIT state. (The thread of execution 
shown in Figure 2B is used only if ther above* -described 
secondary agent to application program iccmmunications 

20 link is via UDP datagrams.) 

Figure 2C shows a second thread of execution state 
diagram of the delivered application program showing 
the WAIT FOR DATA state and the PRCXIESS DATA state, 
with the state transitions occurring upon data being 

25 available or the data having been processed. 

Figure 2D shows a state diagram for the 
corresponding client address database processing at the 
proxy server, for the action REMOVE FROM DATABASE of a 
client address. 
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In one particular embodiment, an HTML page 
including a Java applet is downloaded from the proxy 
server to the client to report the status of the proxy 
server virus scanning. Since the communication link 

5 between the Java applet and the software at the proxy 
server has been established, one can send the Java 
applet the virus scan status as needed; this status 
information is displayed by the applet. This obviates 
the prior art situation where during a virus scan 

0 performed by a proxy server, the user of the client has 
no indication of what is happening and may think that a 
long virus scanning delay is the result of a fault 
rather than merely the usual delay. During this virus 
scanning time, the Java applet provides a window, shown 

5 in the upper left of Figure 3, indicating the virus 
scan status. This window illustrates transmission of 
information from the proxy server to the client; the 
flow .of *inform£.nion is from the client back to the 
proxy riserver in other examples, such as a personal izedisruxi 

0 "firewall", bandwidth monitor, and content filter, 
which require two-way communication. 

This delivered Java applet is automatically loaded 
and started when the user starts up his web browser. 
The illustrative *Yahoo" web page shown in Figure 3 is 

5 otherwise conventional and the delivered Java applet is 
loaded without user intervention. Such a virus scanner 
is a specific example of a proxy server status display 
which allows the client to display the current status 
of proxy server activity such as virus scanning, 

3 content filtering, malicious code scanning, etc. This 
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allows display, by use of a window on the client 
platform display, to illustrate the status of 
processing by the proxy server beyond the traditional 
web browser proxy server fxinctions. 
5 Note that in accordance with the invention the 

client and the agent maintain an intelligent 
(bidirectional) communications channel therebetween, 
which is not limited to the HTTP protocol. This allows 
monitoring of all activity on the client and can notify 

10 the agent for instance to disconnect upon occxirrence of 
certain events. 

Other exanples of the present application delivery 
approach include a network management agent that 
reports and controls the bandwidth (in terms of time 

15 and/or information flow) that is used by a certain 
client when commxinicating with an agent . Another 
example is a personalized (client specific) security 
'^firewall" that is centrally, .controlJec (at the proxy 
server) in terms of setting^Jiifcs: firewall security 

20 provisions. This allows the client:, in real time, to 
monitor the connection to itself and then notify the 
agent to filter out any specific traffic, and vice 
versa also. 

In another example, the delivered application 
25 program is used as an Internet policy enforcement 

agent. For example, before granting a connection from 
the client to the Internet, the agent checks the client 
for a particular user name and proper security setting 
for the client. 
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Another example of the present delivered 
application program is generally the category of news 
agents or channels which allows an organization to post 
relevant information on its proxy server to be 
5 distributed to users (e.g. organization members) who 
access the Internet/Intranet through that 
organization's proxy server. Database information is 
maintained on the organization's proxy server which 
delivers the proper application program to each client 

10 to view the database each time the Intemet/lntrcuiet is 
accessed through that proxy server. The information 
might include for instance network status, organization 
events, or other news. 

Another related example is a software 

15 patch/library agent in which the proxy server contains 
a program which . searches the Internet/Intranet for 
various latest software packages available. When a 
user connects iro^vthe proxy server, the versions of the ..xjae 
softwareHion his particular client platfor;n are comparedds^:* 

20 to the latest ./versions of this software stored on the* 
proxy server. If there is a newer software package or 
patch available, the user of each client is prompted to 
download that newer version. 

This description is illustrative and not limiting; 

25 further modifications will be apparent to one skilled 
in the art in light of this disclosure and are intended 
to fall within the scope of the appended claims . 
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We claim: 

1. In a computer network including a remote 
server, an agent, and a client, a method comprising the 
steps of: 

5 the client attempting to connect to the 

remote server through the agent; 

the agent determining a characteristic of the 
client and providing a code module in response to 
the determined characteristic ; 
10 the agent downloading the code module to the 

client, resulting in the code module residing at 
the client; and 

the agent forming a connection to the web 
server on behalf of the client. 

15 

2. The method of Claim 1, wherein the agent is 
an intermediary entity for providing connectivity or 
transmitting data between the remote v.server 'rnd the 
client . -:?^^A^^^rK■rI 

20 

3 . The method of Claim 2 , further comprising the 
step of the client reporting its status to the agent, 
whereupon the agent determines if the connection is to 
be continued. 

25 

4. The method of Claim 2, further coirqprising the 
step of establishing bidirectional communications 
between the agent and the client via the downloaded 
code module. 

30 
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5. The method of Claim 2, wherein the client is 
a web browser, 

6. The method of Claim 2, wherein the agent is 

5 one of a router, an intelligent switch, a proxy server, 
and a firewall. 

7. The method of Claim 2, wherein the downloaded 
code module is an application program. 

10 

8. The method of Claim 7, wherein the downloaded 
code module is selected from a group consisting of a 
Java applet, an Active-X control, and any application 
executable software supported by the client. 

15 

9. The method of Claim 2, wherein the downloaded 
code module reports at the client a status of an 
operation performed^: by t"r>e. agent. 

20 10. The method of Claim 9, wherein the operation 

is a virus scan. 

11. The method of Claim 2, wherein the code 
module allows the client to monitor a status of the 

25 connection to the remote server. 

12. The method of Claim 3, wherein the downloaded 
code module directs the agent to terminate the 
connection upon occurrence of a predetermined event. 

30 
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13. The method of Claim 2, wherein the step of 
providing comprises dynamically forming the code 
module. 

5 14. The method of Claim 2, wherein the step of 

providing comprises selecting from a group of code 
modules . 

15. An agent for use in a computer network 

10 including a remote server and a client to be connected 
to the remote server via the agent, the agent 
comprising : 

a portion which determines at least one 
characteristic of the client; 
15 a portion which provides a code module in 

response to the determined characteristic of the 
client; and 

a portion which downloads;^ the »:::?de module to 
Che client so that the code:-mod'ale resides in the 
20 client. 

16. The agent of Claim 15, wherein the agent is 
an intermediary entity for providing connectivity or 
transmitting data between the remote server and the 

25 client- 

17. The agent of Claim 16, wherein the client 
reports its status to the agent using the downloaded 
code module, whereupon the agent determines if a 
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connection between the client and the web server is to 
be continued. 

18. The agent of Claim 16, further comprising a 
5 portion which establishes bidirectional communications 

between the agent and the client via the downloaded 
code module. 

19. The agent of Claim 16, wherein the client is 
10 a web browser. 

20. The agent of Claim 16, wherein the agent is 
one of a router, an intelligent switch, . a proxy server, 
and a firewall. 

15 

21. The agent of Claim 16, wherein the downloaded 
code module is an application program. 

22. Thej agent: of Claim 21, wherein the downloaded -^t^M^.^^:* 
20 code module is selected from a group consisting of a 

Java applet, an Active-X control, and any 
application/executable software supported by the 
client . 

25 23. The agent of Claim 16, wherein the downloaded 

code module reports at the client a status of an 
operation performed by the agent. 

24. The agent of Claim 23, wherein the operation 
30 is a virus scan. 
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25. The agent of Claim 16, wherein the code 
module allows the client to monitor a status of the 
connection to the remote server. 

5 

26. The agent of Claim 16, wherein the downloaded 
code module directs the agent to terminate the 
connection upon occurrence of a predetermined event. 

10 27. The agent of Claim 16, wherein the code 

module is formed dynamically. 

28. The agent of Claim 18, wherein the code 
module is selected from a group of code modules . 
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